<html>
<body>
Reports classes that may be serialized or deserialized.
<p>
  A class may be serialized if it supports the <code>Serializable</code> interface,
  and its <code>readObject()</code> and <code>writeObject()</code> methods are not defined to always
  throw an exception. Serializable classes may be dangerous in code intended for secure use.
</p>
<p><b>Example:</b></p>
<pre><code>
  class DeserializableClass implements Serializable { // the class doesn't contain 'writeObject()' method throwing an exception
    private int sensitive = 736326;

    private void readObject(ObjectInputStream in) {
        throw new Error();
    }
}
</code></pre>
<p>After the quick-fix is applied:</p>
<pre><code>
  class DeserializableClass implements Serializable {
    private int sensitive = 736326;

    private void readObject(ObjectInputStream in) {
        throw new Error();
    }

    private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
        throw new java.io.NotSerializableException("DeserializableClass");
    }
  }
</code></pre>
<!-- tooltip end -->
<p>
  Use the following options to configure the inspection:
</p>
<ul>
  <li>
    List classes whose inheritors should not be reported by this inspection.
    This is meant for classes that inherit
    <code>Serializable</code> from a superclass but are not intended for serialization.
    Note that it still may be more secure to add <code>readObject()</code> and <code>writeObject()</code> methods
    which always throw an exception, instead of ignoring those classes.
  </li>
  <li>
    Whether to ignore serializable anonymous classes.
  </li>
</ul>
</body>
</html>